With app downloads now reaching well into the billions — Apple and Google now average 1 billion downloads per month — concern over privacy rights has prompted a move toward the inclusion of privacy policies in app development.

In 2011, California Attorney General Kamala Harris brokered an agreement with Apple, Google, Microsoft, Amazon, Hewlett-Packard, Research In Motion and Facebook to begin improving mobile privacy protections by requiring privacy policies for apps.

Harris followed that move with a crackdown on companies not complying with the California Online Privacy Protection Act, which requires that all apps must post a privacy policy notice letting users know what personal information is being collected and how that information is being used. Additionally, it requires that users be given the opportunity to read the privacy policy before downloading the app. Harris continued her push for privacy policies at the start of 2013 by issuing a set of guidelines for software developers to follow in developing privacy policies.

Norbert Kugele, a partner at local law firm Warner Norcross, said that while he isn’t sure what influence California’s actions will have on other states or on the federal government’s work on the issue, there is no doubt that privacy policies are becoming a standard expectation for all apps. He expects the Federal Trade Commission will issue its own set of guidelines or even regulations soon, and advises companies developing an app to develop their privacy policy in conjunction.

“I think we are getting to the point where it is clear that you need to have a privacy policy for your mobile app,” Kugele said. “If that wasn’t clear beforehand, I think that has become very clear. That is something that you should count on developing along with your app — a privacy policy that describes what happens (with user information).”

Kugele said it won’t work for a company to simply cut and paste its privacy policy from its website, either.

“With a mobile app, the screens are a lot smaller. If you take that same privacy policy (from your website) and try and squeeze it onto the screen, it’s either going to be so small that nobody can read it or it’s going to run for 40-50 pages and nobody is going to read it either.

“You are probably going to have to develop a shorter version of your privacy policy, something that is very concise and short, and maybe cross references to a more detailed privacy policy on your website but that at least hits the highlights for people so they can be read in one to three screens. The FTC has been messaging very clearly that they don’t think a privacy policy that runs 40-50 pages is going to do the trick.”

Kugele said companies need to make sure they are complying with the policy they set forth, as well.

“If there is a divergence in your privacy policy between what your policy says and what you are actually doing, that is a problem.”

Companies should be transparent about what information is being collected, both actively and passively, and how that information will be used.

Kugele said more apps are being designed to allow users choices or to opt out of providing information. Companies need to think about what information they really need to collect and make sure the app design fits within the needs of the company’s data collection.

“For example, some apps will use your location,” he explained. “Maybe a retailer has an app that will let you locate a store near to you, and to assist with that it will use the geo-location information that your phone has. It will know exactly where you are and can give you information on the nearest store to where you are.”

Companies should create their app privacy policy before designing the app and then make sure it adheres to the policy.

“I think the company itself wants to have a privacy policy first and decide what kind of information they collect, what kind of choices they want to give consumers, because it’s the company’s reputation that is going to be on the line here with the app. The company wants to develop a privacy policy and then, if they are using an outside developer to put together the app, they want to say, ‘OK, so here is the privacy policy that we want to make sure this conforms to.’ I think that is the way to approach it.”

If an app is designed for kids, there are a few additional details to consider, including the Children’s Online Privacy Protection Act, which says that if an app will collect information about children, there must be parental consent.

“The FTC has looked at mobile apps that are out there geared towards children, and they are finding that there is not adequate disclosure and there is definitely not any kind of parental consent, or very rarely is there any kind of parental consent happening, so they are very concerned about that,” Kugele said.

Individuals can also take a more active approach to protecting their privacy.

First, know that apps have the ability to collect everything: location, contacts, photos, texts, emails, social network relationships and even calendar items.

“For a lot of companies, the app will be part of their marketing campaign,” Kugele said. “It’s another way to interact with the customer and give them information about your products and make it easier for the customer to find or use your products or services. So it depends on the purpose. If the purpose of the app is to be an extension of your company, you are probably going to be a little more respectful about people’s privacy and are more likely to give them options because you don’t want to offend the consumer.

“On the other hand, if the purpose of the app is to collect as much information about a consumer as possible — maybe it’s disguised as a game or something like that — you’re less likely to have these kinds of controls.”

The key way for a consumer to ensure private information isn’t collected is to read the privacy policy. If the company is collecting more information than the consumer is comfortable with, that person will have to consider how badly he or she really wants the app. If a company offers choices, the consumer should make sure he or she is taking the time to make those choices on their phone.

“People themselves have to be a little bit careful about what types of apps they are putting on their phone,” Kugele said. “If you’re downloading games on your business iPhone, be aware that some of these are just data collection devices, especially the free apps. Their business model is to collect information and resell it — that’s how they are making money.”

For parents, Kugele said the best thing they can do is to periodically look at the apps their children are downloading and the privacy policies so that they know what information the companies are collecting.

The Future of Privacy Forum, a Washington, D.C.-based think tank, conducted a 2012 study of the top 150 apps from iOS, Android and Kindle Fire, and found that 61.3 percent had a privacy policy. Of the apps that were free, 69.3 percent had a privacy policy, while 53.3 percent of the paid apps had privacy policies. This was an all-around increase from the organization’s 2011 study.

Restricted Content

About GRBJ

Since 1983, the Grand Rapids Business Journal has been West Michigan's primary and most-trusted source of local business news. The weekly print edition of the Business Journal, a must-read for the area’s top decision-makers, is known as the business newspaper of metro Grand Rapids, Holland, Muskegon and all of West Michigan.

grbj.com provides the same trusted and objective business reporting that the Business Journal is known for -- plus real-time original content, timely enewsletters/alerts, exclusive blogs and more. Business Journal subscribers receive the weekly print edition, including bonus publications like the annual Book of Lists, and also complete access to all content on grbj.com.

The Grand Rapids Business Journal is published by Gemini Publications.